Vigil@nce - OTRS: Cross Site Scripting via an email
September 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send an email to OTRS, in order to generate a
Cross Site Scripting in the Firefox/Opera web browser of the
victim who reads the message.
Impacted products: OTRS Help Desk
Severity: 2/4
Creation date: 30/08/2012
DESCRIPTION OF THE VULNERABILITY
The OTRS service processes messages coming from users.
However, emails in HTML format are not correctly filtered before
being inserted in web pages generated by OTRS. For example:
– nested HTML tags are not filtered
– blocks of type "script", with a closing tag containing spaces
are not filtered
– JavaScript expressions contained in CSS style sheets are not
filtered
– block of type SVG are not filtered
– tags with the attribute "src=" are not filtered
An attacker can therefore send an email to OTRS, in order to
generate a Cross Site Scripting in the Firefox/Opera web browser
of the victim who reads the message.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OTRS-Cross-Site-Scripting-via-an-email-11906